forensicsfandomcom-20200214-history
Windows registry entries
The Windows registry is a database that stores configuration entries for recent Microsoft Operating Systems including Windows Mobile. This page is intended to capture registry entries that are of interest from a digital forensics point of view. There are a number of registry tools that assist with editing, monitoring and viewing the registry. Registry locations Windows NT, 2000, XP, and Server 2003 nThe following Registry files are stored in %SystemRoot%\System32\Config\: * Sam - HKEY_LOCAL_MACHINE\SAM * Security - HKEY_LOCAL_MACHINE\SECURITY * Software - HKEY_LOCAL_MACHINE\SOFTWARE * System - HKEY_LOCAL_MACHINE\SYSTEM * Default - HKEY_USERS\.DEFAULT * Userdiff The following file is stored in each user's profile folder: * NTUSER.DAT Windows 95, 98, and Me The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows Me Classes.dat was added. Windows 3.11 The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory. Backup Registry locations Windows NT, 2000, XP, and Server 2003 The Registry is backed up on a successful install. The following backup Registry files are stored in %SystemRoot%\System32\Config\: * Sam.sav * Security.sav * Software.sav * System.sav * Default.sav The Registry is also backed up as Restore Points. The following backup Registry files are stored in directories similar to the following: C:\System Volume Information\_restore{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\RPXXX\Snapshot You may get an "access denied" message when trying to look in the System Volume Information directory. Instructions are available on getting the required access. The files saved in this directory are: * _REGISTRY_USER_.DEFAULT * _REGISTRY_MACHINE_SECURITY * _REGISTRY_MACHINE_SOFTWARE * _REGISTRY_MACHINE_SYSTEM * _REGISTRY_MACHINE_SAM There are also files for each of the users on the machine based on their Security Identifier (SID): * _REGISTRY_USER_NTUSER_S-1-5-19 * _REGISTRY_USER_USRCLASS_S-1-5-19 Windows 95, 98, and Me Windows 3.11 Transaction Logs Windows NT, 2000, XP, and Server 2003 The transaction log files are a record of changes made to the Registry since the system has been up. Changes made to the Registry are written to the log files first. The log file is reset when changes have been written to the Registry. If a system failure occurs before the information is written from the log then the log is applied to the Registry on the next boot. The following Transaction Log files are stored in %SystemRoot%\System32\Config\: * Sam.log * Security.log * Software.log * System.log * Default.log * Userdiff.log * TempKey.log The following file is stored in each user's profile folder: * NTUSER.DAT.log Viewing registry entries From the command line: reg.exe QUERY HKLM\System\CurrentControlSet\Control\FileSystem Useful entries * HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate Utilities * Registry tools useful in digital forensics ** Regmon; part of the Sysinternals tools — A tool for detailed monitoring of applications that are accessing registry items ** Process Monitor; part of the Sysinternals tools — Combines RegMon and FileMon and is the only Sysinternals tool for monitoring the registry in Windows Vista ** jv16 PowerTools — An utility suite containing a registry cleaner, a registry monitor and a registry compactor. ** Chntpw — An opensource offline Windows Registry/SAM editor that runs under Linux ** ERD Commander — A bootable CD which includes an off-line registry editor for repairing Windows installations. ** Win32Registry - Perl registry module allowing access from non-Windows Operating Systems Category:DigitalForensicsWindows